supabase-pentest

Original🇺🇸 English
Translated

Orchestrate a complete Supabase security audit with guided step-by-step execution and ownership confirmation.

7installs
Sourceyoanbernabeu/supabase-pentest-skills
Added on

NPX Install

npx skill4agent add yoanbernabeu/supabase-pentest-skills supabase-pentest

Tags

Translated version includes tags in frontmatter
supabase-security-auditsecurity-assessmentplan-modeevidence-collectionaudit-reporting

SKILL.md Content

View Translation Comparison →

Supabase Security Audit Orchestrator

🔵 RECOMMENDED: USE PLAN MODE FOR COMPLEX AUDITS
When your environment supports Plan Mode, it is strongly recommended to activate it before starting the audit:
  • Use the 
    EnterPlanMode
    tool at the start of the orchestration
  • Plan Mode enables better organization of multi-phase audits
  • It allows the user to validate the approach before execution
  • If Plan Mode is not available, proceed directly with execution
Plan Mode provides better traceability and user control over the audit process.
🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
  • Write to 
    .sb-pentest-context.json
    IMMEDIATELY after each discovery
  • Log to 
    .sb-pentest-audit.log
    BEFORE and AFTER each action
  • DO NOT wait until a phase or skill completes to update files
  • If the audit crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill orchestrates a complete security audit of a Supabase-based application, guiding you through each phase with validation checkpoints.

⚠️ MANDATORY: Progressive Context File Management

BEFORE starting any audit, you MUST:
  1. Create 
    .sb-pentest-context.json
    if it doesn't exist
  2. Create 
    .sb-pentest-audit.log
    if it doesn't exist
  3. Create 
    .sb-pentest-evidence/
    directory structure
  4. Initialize context with target URL and timestamp
DURING execution - WRITE AS YOU GO:
  1. BEFORE each action → Log to 
    .sb-pentest-audit.log
  2. AFTER each discovery → IMMEDIATELY update 
    .sb-pentest-context.json
  3. AFTER each test → Save evidence to 
    .sb-pentest-evidence/
  4. DO NOT batch writes → Each finding must be saved as it's discovered
  5. Verify after each skill → Check that ALL files were updated before proceeding

📋 SYSTEMATIC DOCUMENTATION REQUIREMENTS

All tracking files MUST be systematically maintained throughout the entire audit.

Required Files (MANDATORY)

FilePurposeUpdate Frequency
.sb-pentest-context.json
Centralized state and findingsAfter EVERY discovery
.sb-pentest-audit.log
Chronological action logBEFORE and AFTER every action
.sb-pentest-evidence/timeline.md
Timestamped findings narrativeAfter EVERY significant finding
.sb-pentest-evidence/curl-commands.sh
Reproducible test commandsAfter EVERY curl/HTTP request

Verification Checklist (Before Each Phase Transition)

Before moving to the next phase, the orchestrator MUST verify:
  • .sb-pentest-context.json
    contains all discoveries from current phase
  • .sb-pentest-audit.log
    has entries for all actions performed
  • Evidence files exist in 
    .sb-pentest-evidence/XX-phase-name/
  • timeline.md
    is updated with any P0/P1/P2 findings
  • curl-commands.sh
    contains all HTTP requests made
If any file is missing or incomplete, DO NOT proceed to the next phase.

Progressive Write Pattern

Each skill MUST follow this pattern:
1. [LOG] Write START entry to audit.log
2. [CONTEXT] Update context.json with "phase_in_progress"
3. [ACTION] Perform the test/scan
4. [EVIDENCE] Save evidence file IMMEDIATELY
5. [CURL] Append curl command to curl-commands.sh
6. [TIMELINE] Update timeline.md if significant finding
7. [CONTEXT] Update context.json with results
8. [LOG] Write COMPLETE entry to audit.log

Failure Recovery

If a skill or phase fails:
  • All files updated up to the failure point are preserved
  • The audit can be resumed from the last successful checkpoint
  • Context file indicates exactly where the audit stopped
⚠️ WHY THIS MATTERS:
  • If the audit is interrupted, crashes, or times out, findings up to that point are preserved
  • Long-running skills must save progress incrementally, not just at the end
  • Users can monitor progress in real-time by watching the log file
FAILURE TO UPDATE CONTEXT FILES PROGRESSIVELY IS NOT ACCEPTABLE.
Each individual skill is responsible for updating these files AS IT WORKS, not just at completion. If a skill does not update the context progressively, the orchestrator must do it immediately after each discovery.

When to Use This Skill

  • Running a complete security assessment on a Supabase application
  • Performing internal security self-assessment before production
  • Auditing an application after security concerns are raised
  • Conducting periodic security reviews

Prerequisites

  • A public URL of the application to audit
  • Authorization to test the target application (you must own it or have explicit permission)
  • Internet access to reach the target URL

Important Security Notice

⚠️  AUTHORIZATION REQUIRED

Before proceeding, you must confirm:

1. I own this application, OR
2. I have explicit written authorization to perform security testing

Unauthorized security testing may violate laws and terms of service.
Type "I confirm I am authorized to test this application" to proceed.

Audit Phases

The orchestrator runs these phases sequentially with confirmation between each.
📁 REMINDER: After EVERY phase, verify that:
  • .sb-pentest-context.json
    is updated with phase results
  • .sb-pentest-audit.log
    has START and COMPLETE entries
  • Evidence files are saved to 
    .sb-pentest-evidence/XX-phase/
  • timeline.md
    reflects any significant findings
  • curl-commands.sh
    contains all HTTP requests made

Phase 0: Initialization

Sets up the audit environment and evidence collection.
Pre-Phase Action (if supported):
  • Use 
    EnterPlanMode
     if the environment supports it
  • This allows the user to validate the audit approach before execution
  • If Plan Mode is not available, proceed directly
Actions:
  • Create 
    .sb-pentest-context.json
  • Create 
    .sb-pentest-audit.log
  • Create 
    .sb-pentest-evidence/
    directory structure
  • Initialize 
    curl-commands.sh
    with header
  • Initialize 
    timeline.md
    with audit start
  • Log initialization to 
    .sb-pentest-audit.log
Skills invoked:
  • supabase-evidence
    (initialization)
Verification before proceeding:
  • All 4 tracking files exist
  • Evidence directory structure is complete
  • User authorization confirmed
Output: Ready to collect evidence with full directory structure

Phase 1: Detection

Determines if the target uses Supabase and extracts basic information.
Skills invoked:
  • supabase-detect
Output: Confirmation of Supabase usage, project URL identified
Evidence saved to: 
.sb-pentest-evidence/01-detection/

Phase 2: Key Extraction

Scans client-side code for exposed credentials.
Skills invoked:
  • supabase-extract-url
  • supabase-extract-anon-key
  • supabase-extract-service-key
  • supabase-extract-jwt
  • supabase-extract-db-string
Output: List of all discovered credentials with severity assessment
Evidence saved to: 
.sb-pentest-evidence/02-extraction/

Phase 3: API Audit

Tests PostgREST API exposure and RLS policies.
Skills invoked:
  • supabase-audit-tables-list
  • supabase-audit-tables-read
  • supabase-audit-rls
  • supabase-audit-rpc
Output: Tables accessible, data exposure assessment, RLS gaps
Evidence saved to: 
.sb-pentest-evidence/03-api-audit/

Phase 4: Storage Audit

Checks storage bucket configurations and access.
Skills invoked:
  • supabase-audit-buckets-list
  • supabase-audit-buckets-read
  • supabase-audit-buckets-public
Output: Bucket inventory, public exposure, accessible files
Evidence saved to: 
.sb-pentest-evidence/04-storage-audit/

Phase 5: Auth Audit

Analyzes authentication configuration and potential weaknesses.
Skills invoked:
  • supabase-audit-auth-config
  • supabase-audit-auth-signup
  • supabase-audit-auth-users
  • supabase-audit-authenticated
    NEW: Creates test user (with consent) to detect IDOR
Output: Auth provider analysis, signup restrictions, enumeration risks, authenticated vs anonymous comparison
Evidence saved to: 
.sb-pentest-evidence/05-auth-audit/
⚠️ Note: 
supabase-audit-authenticated
will ask for explicit consent before creating a test user. This is optional but highly recommended to detect IDOR and cross-user access vulnerabilities.

Phase 6: Realtime & Functions Audit

Tests WebSocket channels and Edge Functions.
Skills invoked:
  • supabase-audit-realtime
  • supabase-audit-functions
Output: Exposed channels, function endpoints, access control issues
Evidence saved to: 
.sb-pentest-evidence/06-realtime-audit/
and 
.sb-pentest-evidence/07-functions-audit/

Phase 7: Report Generation

Compiles all findings into a comprehensive report.
Skills invoked:
  • supabase-report
Output: Full Markdown report with executive summary, findings, and remediation

Workflow with Plan Mode

When Plan Mode is supported, the recommended workflow is:
1. User requests audit → Agent uses EnterPlanMode
2. Agent explores target superficially (detect Supabase, extract URL)
3. Agent writes plan to plan file with:
   - Target URL
   - Detected Supabase configuration
   - Proposed phases to execute
   - Estimated scope
4. Agent uses ExitPlanMode → User reviews and approves
5. Agent executes phases with systematic file updates
6. After each phase → Agent confirms files are updated
7. Final report generation
Benefits of Plan Mode:
  • User can adjust scope before execution starts
  • Better visibility into what will be tested
  • Clearer audit trail from planning to execution

Usage

Basic Full Audit (with Plan Mode)

Run a Supabase security audit on https://myapp.example.com
The agent SHOULD:
  1. Use 
    EnterPlanMode
    if available
  2. Present the audit plan for approval
  3. Execute with systematic file updates

Basic Full Audit (without Plan Mode)

Run a Supabase security audit on https://myapp.example.com --no-plan

Resume from Phase

Continue Supabase audit from Phase 3 (API Audit)

Skip Specific Phases

Run Supabase audit on https://myapp.example.com, skip auth audit

Context Files and Evidence (MANDATORY)

⚠️ CRITICAL: Updating tracking files and collecting evidence is MANDATORY.
The orchestrator creates and manages:
File/DirectoryPurpose
.sb-pentest-context.json
Stores extracted data between phases
.sb-pentest-audit.log
Logs all actions with timestamps
.sb-pentest-evidence/
Evidence directory for professional audits

Evidence Collection

The orchestrator initializes the evidence directory at the start of every audit:
.sb-pentest-evidence/
├── README.md                    # Evidence index
├── curl-commands.sh             # All reproducible curl commands
├── timeline.md                  # Chronological findings
├── 01-detection/                # Detection evidence
├── 02-extraction/               # Key extraction evidence
├── 03-api-audit/                # API audit evidence
│   ├── tables/
│   ├── data-samples/
│   ├── rls-tests/
│   └── rpc-tests/
├── 04-storage-audit/            # Storage audit evidence
│   ├── buckets/
│   └── public-url-tests/
├── 05-auth-audit/               # Auth audit evidence
│   ├── signup-tests/
│   └── enumeration-tests/
├── 06-realtime-audit/           # Realtime audit evidence
├── 07-functions-audit/          # Functions audit evidence
└── screenshots/                 # Optional screenshots
Each skill MUST save evidence to its respective directory as it works.

Mandatory Update Rules

  1. After each skill execution, 
    .sb-pentest-context.json
    MUST be updated with results
  2. Every action MUST be logged in 
    .sb-pentest-audit.log
    with timestamp
  3. If files don't exist, they MUST be created at audit start
  4. Never complete a skill without updating context files

Mandatory Log Format

Each entry in 
.sb-pentest-audit.log
must follow this format:
[YYYY-MM-DD HH:MM:SS] [SKILL_NAME] [STATUS] Message
Example:
[2025-01-31 14:00:00] [supabase-detect] [START] Starting Supabase detection
[2025-01-31 14:00:05] [supabase-detect] [SUCCESS] Supabase detected
[2025-01-31 14:00:05] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json updated

Context File Structure

json
{
  "target_url": "https://myapp.example.com",
  "started_at": "2025-01-31T10:00:00Z",
  "authorization_confirmed": true,
  "supabase": {
    "detected": true,
    "project_url": "https://abc123.supabase.co",
    "anon_key": "eyJ...",
    "service_key_exposed": false
  },
  "phases_completed": ["detection", "extraction"],
  "findings": []
}

Rate Limiting

The orchestrator implements adaptive rate limiting:
  1. Starts with normal request speed
  2. If HTTP 429 (Too Many Requests) is detected, backs off exponentially
  3. Respects Supabase's rate limit headers

Output Format

After each phase:
═══════════════════════════════════════════════════════════
 PHASE 2 COMPLETE: Key Extraction
═══════════════════════════════════════════════════════════

 Findings:
 ├── ✅ Anon key found (expected)
 ├── ❌ P0: Service role key EXPOSED in main.js:1247
 └── ⚠️  P1: JWT secret pattern detected

 Proceed to Phase 3 (API Audit)? [Y/n]
═══════════════════════════════════════════════════════════

Best Practices

  • Run audits in non-production hours to minimize impact
  • Save the context file for audit trail purposes
  • Review findings with your security team before remediation
  • Re-run the audit after implementing fixes to verify

Common Issues

Problem: Audit stops at Phase 1 with "Supabase not detected" ✅ Solution: The app may use a custom domain. Manually provide the Supabase URL:
Run audit with Supabase URL https://myproject.supabase.co
Problem: Rate limited during audit ✅ Solution: The orchestrator auto-adjusts. If persistent, wait 5 minutes and resume.
Problem: Context file corrupted ✅ Solution: Delete 
.sb-pentest-context.json
and restart the audit.

Related Skills

  • supabase-help
    — Quick reference for all skills
  • supabase-evidence
    — Evidence collection management
  • supabase-report
    — Generate report from existing context
  • supabase-report-compare
    — Compare with previous audits